Nothing Special   »   [go: up one dir, main page]

US10419410B2 - Automatic generation of unique identifiers for distributed directory management users - Google Patents

Automatic generation of unique identifiers for distributed directory management users Download PDF

Info

Publication number
US10419410B2
US10419410B2 US15/379,721 US201615379721A US10419410B2 US 10419410 B2 US10419410 B2 US 10419410B2 US 201615379721 A US201615379721 A US 201615379721A US 10419410 B2 US10419410 B2 US 10419410B2
Authority
US
United States
Prior art keywords
user identification
user
identification value
values
range
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US15/379,721
Other versions
US20180176200A1 (en
Inventor
Deivapalan Perumal Govindan
Christopher David Gouge
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seagate Technology LLC
Original Assignee
Seagate Technology LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seagate Technology LLC filed Critical Seagate Technology LLC
Priority to US15/379,721 priority Critical patent/US10419410B2/en
Assigned to SEAGATE TECHNOLOGY LLC reassignment SEAGATE TECHNOLOGY LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOUGE, CHRISTOPHER DAVID, GOVINDAN, DEIVAPALAN PERUMAL
Publication of US20180176200A1 publication Critical patent/US20180176200A1/en
Application granted granted Critical
Publication of US10419410B2 publication Critical patent/US10419410B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4523Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using lightweight directory access protocol [LDAP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • H04L61/1523
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/365Application layer names, e.g. buddy names, unstructured names chosen by a user or home appliance name
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/3005Mechanisms for avoiding name conflicts
    • H04L61/3065
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Definitions

  • the present disclosure relates to aspects of electronic directories, and relates in particular to improvements to the use of automatically-generated user identifiers within electronic directories.
  • Electronic data stores and computerized directories have begun to utilize distributed aspects, where directory functionality and data itself is spread over multiple servers, networks, etc. Distributed directories may benefit from increased high-volume and globalized capability, and may dynamically replicate entries as needed. Some temporary inconsistencies may exist between machines in distributed models for a short amount of time, but any inconsistencies are typically addressed quickly. However, as electronic directories proliferate, a relative disorder of platform or company-specific versions led to an eventual need for a platform-independent, standardized, and Internet-connected model.
  • the X.500 directory standard which runs on Open Systems Interconnection (OSI), accomplishes some of the goals, but has known drawbacks.
  • OSI Open Systems Interconnection
  • X.500 runs on the OSI protocol stack (as opposed to the widely-used transmission control protocol and Internet protocol suite (TCP/IP) or other connection-oriented transfer service), and had robust, or “heavyweight,” features and capacities that were often neither needed nor used.
  • OSI protocol stack as opposed to the widely-used transmission control protocol and Internet protocol suite (TCP/IP) or other connection-oriented transfer service
  • LDAP Lightweight directory access protocol
  • LDAP Lightweight directory access protocol
  • the formulation of LDAP eschews various components and functionalities of the broader-scope X.500, while streamlining others (e.g., the shift from OSI to TCP/IP), leading to an efficient, and widely-disseminated protocol for distributed or large-scale directory management.
  • LDAP utilizes a client-server model, whereby a user (or a device) can connect to any of several servers and still access the same entry, in the form of a global directory service.
  • LDAP entries are generally arranged in a hierarchical tree-like structure, and ordering of entries is not typically required.
  • a general purpose and goal of LDAP relates to streamlining and improving usefulness and efficiency in directories, generally including information relating to individuals, stored in the form of entries.
  • the various entries (which may represent, for example, individuals) are assigned a unique identifying name (called a distinguished name (DN)), details and characteristics, such as a first and/or last name, user role, phone number, email address, employee number, office location, common name, home directory, password, etc.
  • DN distinguished name
  • HPC high-performance computing
  • LDAP often utilizes one or more so-called “schemas” related to various tasks or directory functions
  • LDAP also employs entries, which may be prescribed and governed by a schema.
  • a schema is often a grouping of fundamental information categories known as entries. Each schema is composed of mandatory and/or optional entry information categories and which may serve as frameworks or templates for various directory-related database organizations.
  • An entry for the purposes of the LDAP framework, include attributes which may have a name and one or more values related to an object (e.g., an employee, administrator, system, etc.). The attributes may include qualities or names related to the object in question, such as a unique, user identifier (UID) for a particular user's account, among many other attributes.
  • UID unique, user identifier
  • a UID is typically an identifier or serial number that identifies a user entry (e.g., a human user or device), and a UM may be referred to as a distinguished name (DN) (including a full filesystem file path), or a relative distinguished name (RDN) (the relevant filesystem file name in its relevant parent folder).
  • DN distinguished name
  • RDN relative distinguished name
  • a DN may change over time, as needed, for example if an entry is moved from one location to another.
  • the server will not or cannot add a duplicate entry, but may give an error or result code of “entry already exists.”
  • the new entry to be added must not already exist, and the new entry's immediate superior in the hierarchy or directory must exist.
  • a system in one aspect of the present disclosure, includes a controller operatively connected to at least a memory device and a storage device, the controller configured to perform various steps.
  • the steps to be performed include receiving a plurality of user identification values.
  • Another step to be performed includes determining a first range of the plurality of user identification values, the first range including a first minimum user identification value and a first maximum user identification value.
  • Another step to be performed includes assigning a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values.
  • Another step to be performed includes determining a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values.
  • Yet another step to be performed includes assigning the second user identification value to a second user.
  • a second aspect of the present disclosure is directed to an account generation method.
  • the method includes receiving a plurality of user identification values.
  • the method also includes determining a first range of the user identification values, the first range including a first minimum user identification value and a first maximum user identification value.
  • the method also includes assigning a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values.
  • the method also includes creating a first user account based on the assigning the first user identification value to the first user.
  • the method also includes determining a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values.
  • the method also includes assigning the second user identification value to a second user. And, the method also includes creating a second user account based on the assigning the second user identification value to the second user.
  • a third aspect of the present disclosure is directed to a computer program product including a computer-readable storage device having a computer-readable program stored therein, where the computer-readable program, when executed on a computing device, causes the computing device to receive a plurality of user identification values.
  • the computing device is also caused to determine a first range of the plurality of user identification values, the first range including a first minimum user identification value and a first maximum user identification value.
  • the computing device is also caused to assign a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values.
  • the computing device is also caused to create a first user account based on the assigning the first user identification value to the first user.
  • the computing device is also caused to determine a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values.
  • the computing device is also caused to assign the second user identification value to a second user.
  • the computing device is also caused to create a second user account based on the assigning the second user identification value to the second user.
  • FIG. 1A is a conceptual illustration of a two-account structured distributed directory access scheme.
  • FIG. 1B is a conceptual illustration of a named account distributed directory access scheme.
  • FIG. 2 is a schematic relational diagram showing database components in a distributed directory access scheme, according to various embodiments.
  • FIG. 3 is a flowchart for the automatic assignments of UIDs for administrator access to a distributed directory manager, according to various embodiments.
  • FIG. 4 is an illustration of an example UID assignment process in a distributed directory, according to various embodiments.
  • FIG. 5 is an example schema that can be employed with the automatic assignment of UIDs according to various embodiments.
  • FIG. 6 is an example routine for assigning a UID, according to various embodiments.
  • FIG. 7 is a subset of the example routine of FIG. 6 , where the next free UID is assigned, according to various embodiments.
  • FIG. 8 is another subset of the example routine of FIG. 6 , where a hole is found and a new range assigned, according to various embodiments.
  • FIG. 9 depicts a computer system according to embodiments of the present disclosure.
  • the present invention overcomes various disadvantages and shortcomings of the prior art relating to the automatic generation of unique identifiers, and in particular to improved methods and systems for the automatic generation of new, collision-avoiding user identifiers (UIDs), especially within the industry-standard framework of LDAP.
  • UIDs new, collision-avoiding user identifiers
  • Collision-free, named-account-based UIDs can be generated automatically by continuously-incrementing numeric UIDs within holes or gaps within available ranges of UIDs within a preset range when a directory database is instantiated.
  • ClusterStor® and the associated ClusterStor® manager products (and registered trademark) of Seagate Technology.
  • Directory schemas as used with respect to LDAP, govern the contents of entries with respect to each schema, which is a set of definitions and constraints regarding the structure of the directory hierarchy.
  • a schema may also define one or more object classes (ObjectClasses). Each entry typically has an OhjectClass attribute, containing named classes defined in the schema.
  • the schema definition of the classes of an entry defines what kind of object the entry may represent, e.g., a person, organization, or domain.
  • the ObjectClass definitions may also define the list of attributes that must contain values and the list of attributes
  • OpenLDAP An example of a typical LDAP implementation is OpenLDAP.
  • OpenLDAP was developed by the OpenLDAP project as a free, open-source implementation of LDAP. It is released under the OpenLDAP public license and has three main components. The components include: SLAPD (also commonly written in lowercase italicized type as “slapd,” which denotes stand-alone LDAP daemon, and associated modules and tools), libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER), and client software (e.g., Idapsearch Idapadd, Idapdelete, and others).
  • SLAPD also commonly written in lowercase italicized type as “slapd,” which denotes stand-alone LDAP daemon, and associated modules and tools
  • libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER)
  • client software e.g., Idapsearch Idapadd, Idapdelete, and others.
  • a uidNumber e.g., a UID
  • a MUST attribute field in an example posixAccount schema which is reproduced, below:
  • Examples of newly-created, user-specific accounts could be stored in LDAP using, for example, an OpenLDAP posixAccount schema.
  • the posixAccount schema would expect a UID (i.e., uidNumber) attribute as an input during creation of the account. Expecting a UID as an input from user would be undesirable for several reasons, such as impersonation by a malicious imposter. For example, if one knows the administrator account username, then hacking the password may be more successfully attempted by malicious users. A desire arises, then, to internally or automatically generate the UID and provide it as an input to the schema in question.
  • the so-called “named account” directory and database feature is as a partial solution for assigning and creating new, user-specific UIDs and accounts.
  • the named account feature provides various basic capabilities such as allowing for or providing individual administrator accounts per person or user, but the existing named account feature may also prohibit remote access through fixed (i.e., not subject to changing or rolling) passwords.
  • the named account feature may also employ the automatic expiration of existing passwords, have a mandated minimum time between password changes, and have enforced password length and/or complexity.
  • the named account feature may include provisions for password storage and access and may include separate credentials for application programming interface (API) access and include provisions for auditing of administrator user activity.
  • API application programming interface
  • FIG. 1A is a conceptual illustration of a two-account structured distributed directory access scheme.
  • an example directory or database manager may be stored on a computing device, such as server 104 , and may include a single pane view of a distributed directory or database infrastructure, which may be visible to one or more administrators (e.g., various users 106 ).
  • the manager may be used to simplify storage cluster installation and configuration and may provide a consolidated management and control of the storage cluster located on server 104 .
  • the manager may include a controller configured to carry out methods described herein.
  • a distributed directory or database manager (which may have a display) may be logged into by an administrator (e.g., user 106 b ) with an administrator account.
  • the distributed directory provides a default administrator account that includes a default username and password, by which the administrator can log into the manager.
  • the distributed directory generally may provide a guest account login path (e.g., the guest may be user 106 a ). As shown, these are the only two accounts (or account types in some cases) through which the administrator 106 b or other user 106 a could log into the distributed directory on server 104 as either an administrator or guest.
  • managing the distributed infrastructure requires several administrative users 106 b in their organization. Restricting the different administrative personnel to use the same default administrative account poses critical security risks.
  • Users may be human users, such as employees or clients of a company or organization, and in some embodiments users may take other forms, including computer-based, virtual, machine, controller, or file system-instantiated users.
  • a traditional two-account-based scheme 100 includes two distinct connection paths from a user 106 to a server 104 .
  • Various users are designated as guests 106 a and other may be designated as administrators 106 b .
  • a guest 106 a is given reduced access and read/write capabilities with respect to directory data stored on server 104 .
  • a guest connection 108 may be configured to include an ability or functionality to, for example, access a read on various directory entries, such as a phone number of a fellow employee (not shown).
  • an administrator connection 110 may include the capabilities of the guest connection 108 , with the added capabilities of adding, modifying, and/or deleting directory entries, among other contents of server 104 .
  • Server 104 may represent a single server or a cluster of multiple servers, according to various embodiments.
  • FIG. 1B is a conceptual illustration of a named account distributed directory access scheme.
  • the named account feature if employed as shown, enables the distributed directory manager to create user-defined administrator accounts (such as for user 106 c ).
  • the shown user connection scheme 102 includes the elements as shown in FIG. 1A , while adding a third, user-defined, named account connection 112 .
  • a named-account user may desire to log into the server 104 , and may be one of several administrators assigned to varying roles ranging from a guest (similar to guest 106 a ) to a partial or full administrator (similar to administrator 106 b ).
  • One or more named account users 106 c may have roles and/or responsibilities that vary, such as being assigned to a particular country's operation for a company, or to a particular division of a company.
  • Various roles may be distributed to various named account users 106 c , or several named account users 106 c may alternatively each be considered full administrators in a distributed directory setting, for various reasons.
  • FIG. 2 is a schematic relational diagram 200 showing database components in a distributed directory access scheme, according to various embodiments.
  • basic database or directory components e.g., standard directory LDAP components
  • basic database or directory components 210 include two management modules 214 , 216 , which are operably connected to each other, either passively and/or actively.
  • the management modules 214 , 216 may operate to form a basic distributed directory, and additional management modules can be added, as desired.
  • a single management module 214 may be utilized without a second management module 216 .
  • the management modules 214 , 216 are both preferably connected to an LDAP database 222 operatively located within a named account components section 212 .
  • LDAP database 222 operatively located within a named account components section 212 .
  • SLAPD standalone LDAP daemon
  • SLAPD may be an LDAP directory server that can be run on many different platforms. SLAPD can be used to provide a directory service with respect to a directory that can contain various entries.
  • SLAPD modules facilitate writing and/or modification within an LDAP framework.
  • SLAPD generally includes two distinct parts; a front end that handles protocol communication with LDAP clients, and a module that handles specific tasks, such as database or directory operations.
  • SLAPD may also be widely and flexibly configurable.
  • the configuration of the SLAPD components may use a single configuration file, allowing an administrator to change virtually any aspect with respect to the directory or database.
  • the respective SLAPD service modules are connected to a first management module 214 (MGMT- 0 ) and a second management module 216 (MGMT- 1 ).
  • the SLAPD service modules 218 , 220 may each be stand-alone modules and in operative connection and communication with at least a respective management module 214 , 216 , as shown.
  • Each SLAPD service module 218 , 220 can be connected to a global LDAP directory service (not shown), or each may run an independent service, such as a directory-related service, according to various embodiments.
  • the addition of SLAPD service modules 218 , 220 may provide additional functionality regarding control aspects of a server (such as server 104 of FIGS. 1A-1B ), allowing an administrator to control access to the information in the particular database(s), such as LDAP database 222 .
  • FIG. 3 is a flowchart for the automatic assignments of UIDs for administrator access to a distributed directory manager, according to various embodiments.
  • Various LTD values can be assigned automatically as UIDs by a process starting at 302 .
  • a plurality of user identifier (ID) values e.g., UIDs
  • the plurality of UID values can be selected such that the plurality includes substantially more UID values than are expected to be used or needed as UIDs for the foreseeable future. For example, if 100 UIDs are expected to be used in the next decade, a plurality of 1000 UIDs (or less or more) may be selected as a “safe” number of UID values during implementation of the processes, herein.
  • a first range of the UID values (e.g., to eventually be assigned as one or more UIDs to corresponding users or administrators, as described herein), including a first minimum UID value and a first maximum UID value may be determined.
  • a numerically lowest UID value may be determined to be a first minimum UID value
  • a numerically highest UID value may be determined to be a first maximum UID value, thereby setting and/or determining the first range of UIDs as the range of UIDs between, and including, the first minimum UID value and the first maximum UID value.
  • a first UID value may be assigned to a first user (and associated entry) from the first range based on the first minimum and first maximum UID values. Once the first minimum and maximum UID are each determined, then, a controller (as described herein) may assign at least one of the UID values to a first user as a UID, based on the first range of UID values determined at 306 .
  • a first user account may optionally be created based on the assigning the first UID to the first user (and the associated first user entry).
  • the first user account may be an administrative, named-account, as described herein, and may include various privileges and/or features of various accounts, as described herein.
  • a second UID value may be determined from the first range by incrementing the first UID value based on the first minimum and first maximum ID values. Similar to the determining of the first UID value, the determination of the second UID value may follow the determination of the first UID value, and may be incrementally related to the first UID value, which may have been previously assigned at this step.
  • a second UID value can be assigned to the second user as a second UID, similar to the assignment of the first UID value to the first user as the first UID.
  • a second user account can optionally be created based on the assigning the second UID value to the second user, in a similar fashion to the creating of the creation of the first user account at 310 .
  • the process may end (or optionally repeat), according to various embodiments. If it is determined that the second UID is equal to the first maximum UID value, then a second range of the UID values may be determined, including a second minimum UID value and a second maximum UID value. The process may then end (or repeat), according to various embodiments. According to other embodiments, it may instead be determined at 318 that the second UID is equal to the first maximum UID value minus one (e.g., second to maximum UID value), or other UID value according to various embodiments.
  • FIG. 4 is an illustration of an example UID assignment process 400 in a distributed directory, according to various embodiments.
  • an initial range of potential UIDs 410 may be specified or received to begin a UID-assignment process within a named account feature.
  • the initial range of UIDs 410 may include n UIDs, including an n th UID 412 .
  • the initial range of UIDs 410 may be selected to be sufficiently large so as to generously accommodate present and future needs of UIDs. A large range may be specified in order to reduce the likelihood that a range would eventually become insufficient.
  • a minimum range value may be selected arbitrarily, but may be selected such that a likelihood of the UID being already in use is reduced, for example, by selecting a UID that is substantially beyond any and all expected UIDs that would already be in use.
  • the various UIDs may be identified as being in use 416 or not currently in use 414 .
  • the UIDs within the initial range 410 both in use and not in use may all be designated in order to preferably identify a hole 418 containing a maximum consecutive number of available UIDs 414 , though other holes may also be present.
  • the n th UID 420 may be designated as available or in use.
  • hole 418 includes four available consecutive UIDs 3 -A ( 422 ), 4 -A ( 424 ), 5 -A ( 426 ), 6 -A ( 428 ), and 7 -A ( 430 ).
  • the UIDs 3 -A ( 422 ), 4 -A ( 424 ), 5 -A ( 426 ), 6 -A ( 428 ), and 7 -A ( 430 ) are assigned to users 1 - 5 , according to the ordering of the UIDs.
  • user 1 is assigned UID 3 -A 422
  • user 2 is assigned UID 4 -A 424
  • user 3 is assigned UID 5 -A 426
  • user 4 is assigned UID 6 -A 428
  • user 5 is assigned UID 7 -A 430 .
  • the concatenation of the letter “A” to the numbered UID denotes a first determination of UIDs and the applicable usage status.
  • step (iii), at step (v), the UIDs 6 -B ( 438 ), 7 -B ( 440 ), and 8 -B ( 442 ) are assigned to the next three users, in this case users 6 , 7 , and 8 .
  • the process may then be optionally repeated at step (vi) as many (or as few) times as necessary, as illustrated by ellipsis 444 .
  • the process may preferably be repeated in particular when a new request for a UID or administrator account is received by a controller or manager, as described herein.
  • the concatenation of the letter “B” denotes a second determination of UIDs and the usage status. Further determinations of usage status of UIDs may be performed, as desired.
  • FIG. 5 is an example schema that can be employed with the automatic assignment of UIDs, according to various embodiments.
  • a typical OpenLDAP posixAccount schema may be utilized for the purposes of this disclosure.
  • the OpenLDAP posixAccount schema includes an entry with five mandatory attribute fields, including uidNumber (e.g., UID as used throughout this application), gidNumber (group identifier), memberUID (member identifier), cn (common name), and homeDirectory (e.g., a filesystem or internet address path).
  • uidNumber e.g., UID as used throughout this application
  • gidNumber group identifier
  • memberUID member identifier
  • cn common name
  • homeDirectory e.g., a filesystem or internet address path
  • Optional attributes that not mandated by the shown schema may include userPassword (not shown), loginShell (not shown), and gecos (not shown), among others.
  • FIG. 6 is an example routine 600 for assigning a UID, according to various embodiments.
  • a particular embodiment of the invention includes a four-step pseudocode routine (which may be in LDAP data interchange format, or LDIF) that contains a first step in which a minimum and maximum range are assigned, with 4096 assigned as an example minimum, and 65535 assigned as an example maximum.
  • the minimum, maximum, and resulting range can be chosen or determined arbitrarily, but can be chosen such that existing or in-use UIDs are avoided and/or that a maximum UID is selected that is sufficient to avoid future need for a greater maximum.
  • the range of possible UIDs from 4096-65535, spanning over 40,000 possible UIDs is determined to be sufficient for this example by an administrator. The range may also be determined automatically, according to other embodiments.
  • nextId is equal to the maximum UID (or, alternatively, the maximum UID of the range minus one)
  • findHoleAndAssignNewRange( ) 604 can be called, returning a new range (e.g., 4099-65535, 5000-65535, 4099-65532, etc.) having a new minimum and maximum UID, and it may be persisted.
  • the minimum UID plus one (increment) can then be assigned to nextId, and the next Id can be returned.
  • routines having subroutines are also depicted, including getNextFreeUnixId( ) 602 , and findHoleAndAssignNewRange( ) 604 , embodiments of which are each further explained with respect to FIGS. 7 and 8 , respectively.
  • FIG. 7 is a subset 700 of the example routine 600 of FIG. 6 , where the next free UID is assigned, according to various embodiments.
  • the routine 600 of FIG. 6 includes several (e.g., LDIF) routines, including calling function getNextFreeUnixId( ) 602 , which may contain three subroutine steps.
  • getNextFreeUnixId( ) 602 includes getting the minimum and maximum free available or not in use) UID from NextFreeUnixId user, incrementing the minimum UID by one and assigning the resulting UID to nextId, and returning the nextId and the maxId.
  • the incrementing of UIDs can be preferably by one unit, but may also be by any other number or interval. Alternatively, the incrementing can occur in reverse, starting with a maximum UID, and dis-incrementing the maximum UID value until a minimum UID value has been achieved.
  • the command “NextFreeUnixId” may be used for generating UIDs for new user accounts.
  • the initial range of UIDs may range from be from “start_range” to “end_range,” which may be initially set up during cluster installation.
  • An LDAP process may start with the “start_range” and may increment until reaching the “end_range.”
  • the system or method e.g., controller
  • the system or method preferably determines or identifies one or more applicable holes in the range and then preferably picks the largest hole range.
  • the “start_range” and “end_range” are then preferably re-initialized with the obtained hole range.
  • FIG. 8 is another subset 800 of the example routine 600 of FIG. 6 , where a hole is found and a new range assigned, according to various embodiments.
  • the findHoleAndAssignNewRange( ) 604 (e.g., LDIF) routine, as shown with respect to FIG. 6 , can preferably include four (or more) subroutines.
  • the subroutines of findHoleAndAssignNewRange( ) 604 can include determining or receiving the existing users' UIDs and storing them in a list, finding the hole that has the maximum range of UIDs, and assigning it to maxRange. Then, the minimum UID of maxRange can be assigned to the minimum UID, and the maximum of maxRange can be assigned to the maximum, and the minimum and maximum UID values can be returned, according to various embodiment.
  • FIG. 9 depicts a computer system 900 according to embodiments of the present disclosure.
  • Computer system 900 includes controller 910 having processors 912 and 914 .
  • each processor 912 , 914 can be a single processor or a multi-threaded processor, a general purpose or a special purpose processor, a co-processor, or any of a variety of processing devices that can execute computing instructions.
  • Server 104 of FIG. 1 may represent an embodiment of computer system 900 .
  • Computer system may also be a computing device or a controller, as used herein.
  • Computer system 900 is configured with an interface 916 to enable controller 910 to receive a request to assign a UID to a user as input 918 , as described in particular with regard to FIGS. 3 and 4 .
  • the interface can enable controller 910 to receive, or otherwise access, 916 the input 918 via, for example, a network (e.g., an intranet, or a public network such as the Internet), or a storage medium, such as a disk drive internal or connected to controller 910 .
  • the interface can be configured for human input or other input devices, such as described later in regard to components of controller 910 . It would be apparent to one of ordinary skill in the art that the interface can be any of a variety of interface types or mechanisms suitable for a computer, or a program operating in a computer, to receive or otherwise access or receive a source input or file.
  • Processors 912 , 914 included in controller 910 are connected by a memory interface 920 to memory device or module 930 .
  • the memory 930 can be a cache memory, a main memory, a flash memory, or a combination of these or other varieties of electronic devices capable of storing information and, optionally, making the information, or locations storing the information within the memory 930 , accessible to a processor.
  • Memory 930 can be formed of a single electronic (or, in some embodiments, other technologies such as optical) module or can be formed of a plurality of memory devices.
  • Memory 930 can be, for example, one or more silicon dies or chips, or can be a multi-chip module package.
  • Embodiments can organize a memory as a sequence of bit, octets (bytes), words (e.g., a plurality of contiguous or consecutive bytes), or pages (e.g., a plurality of contiguous or consecutive bytes or words).
  • computer 900 can include a plurality of memory devices.
  • a memory interface, such as 920 between a one or more processors and one or more memory devices can be, for example, a memory bus common to one or more processors and one or more memory devices.
  • a memory interface, such as 920 between a processor (e.g., 912 , 914 ) and a memory 930 can be point to point connection between the processor and the memory, and each processor in the computer 900 can have a point-to-point connection to each of one or more of the memory devices.
  • a processor for example, 912
  • a memory e.g., memory 930
  • another processor e.g., 914
  • the memory e.g., 920 from processor 914 to memory 930 .
  • Computer 900 can include an input/output (I/O) bridge, which can be connected to a memory interface, or to processor (not shown).
  • I/O bridge can interface the processors and/or memory devices of the computer 900 (or, other I/O devices) to I/O devices connected to the bridge.
  • controller 910 includes I/O bridge 950 interfacing memory interface 920 to I/O devices, such as I/O device 960 .
  • an I/O bridge can connect directly to a processor or a memory, or can be a component included in a processor or a memory.
  • An I/O bridge can be, for example, a peripheral component interconnect express (PCI-Express) or other I/O bus bridge, or can be an I/O adapter.
  • PCI-Express peripheral component interconnect express
  • I/O bridge can connect to I/O devices by means of an I/O interface, or I/O bus, such as I/O bus 922 of controller 910 .
  • I/O bus 922 can be a PCI-Express or other I/O bus.
  • I/O devices can be any of a variety of peripheral I/O devices or adapters connecting to peripheral I/O devices.
  • I/O device 960 can be a graphics card, keyboard or other input device, a hard disk drive (HDD), solid-state drive (SSD) or other storage device, a network interface card (NIC), etc.
  • I/O device 960 can be an I/O adapter, such as a PCI-Express adapter, that connects components (e.g., processors or memory devices) of the computer 900 to I/O devices (e.g., disk drives, Ethernet networks, video displays, keyboards, mice, styli, touchscreens, etc.).
  • components e.g., processors or memory devices
  • I/O devices e.g., disk drives, Ethernet networks, video displays, keyboards, mice, styli, touchscreens, etc.
  • Computer 900 can include instructions executable by one or more of the processors (or, processing elements, such as threads of a processor).
  • the instructions can be a component of one or more programs.
  • the programs, or the instructions can be stored in, and/or utilize, one or more memory devices of computer 900 .
  • controller 910 includes a plurality of programs or modules, such as UID status module 908 and UID assignment module 904 .
  • a program can be, for example, an application program, an operating system (OS) or a function of an OS, or a utility or built-in function of the computer 900 .
  • a program can be a hypervisor, and the hypervisor can, for example, manage sharing resources of the computer 900 (e.g., a processor or regions of a memory, or access to an I/O device) among a plurality of programs or OSes.
  • Programs can be “stand-alone” programs that execute on processors and use memory within the computer 900 directly, without requiring another program to control their execution or their use of resources of the computer 900 .
  • controller 910 includes stand-alone program 908 .
  • a stand-alone program can perform particular functions within the computer 900 , such as controlling, or interfacing (e.g., access by other programs) an I/O interface or I/O device.
  • a stand-alone program can, for example, manage the operation, or access to, a memory (e.g., memory 930 ).
  • a basic I/O subsystem (BIOS), or a computer boot program e.g., a program that can load and initiate execution of other programs) can be a standalone program.
  • Controller 910 within computer 900 can include one or more OS 902 , 906 , and an OS can control the execution of other programs such as, for example, to start or stop a program, or to manage resources of the computer 900 used by a program.
  • controller 910 includes OSes 902 and 906 , each of which can include, or manage execution of, one or more programs, such as OS 902 including (or, managing) program 904 .
  • an OS can function as a hypervisor.
  • a program can be embodied as firmware (e.g., BIOS in a desktop computer, or a hypervisor) and the firmware can execute on one or more processors and, optionally, can use memory, included in the computer 900 .
  • Firmware can be stored in a memory (e.g., a flash memory) of the computer 900 .
  • controller 910 includes firmware 940 stored in memory 930 .
  • firmware can be embodied as instructions (e.g., comprising a computer program product) on a storage medium (e.g., a CD-ROM, DVD-ROM, a flash memory, or a disk drive), and the computer 900 can access the instructions from the storage medium.
  • computer 900 can include instructions for the assignment of UIDs to users without collision.
  • Controller 910 includes, for example, UID determination and assignment instructions 942 , which can operate to assign UIDs and/or create user or administrator accounts at 944 .
  • the computer 900 can store the UID assignment instructions and/or the created user account information in a memory 930 of the computer 900 , such as controller 910 storing the UID determination and assignment instructions 942 and assign UIDs and/or create user or administrator accounts 944 in memory 930 .
  • computer system 900 and controller 910 are not intended to limiting to embodiments.
  • computer system 900 can include a plurality of processors, interfaces, and inputs and can include other elements or components, such as networks, network routers or gateways, storage systems, server computers, virtual computers or virtual computing and/or I/O devices, cloud-computing environments, and so forth. It would be evident to one of ordinary skill in the art to include a variety of computing devices interconnected in a variety of manners in a computer system embodying aspects and features of the disclosure.
  • controller 910 can be, for example, a computing device having a processor (e.g., 912 ) capable of executing computing instructions and, optionally, a memory 930 in communication with the processor.
  • controller 910 can be a desktop or laptop computer; a tablet computer, mobile computing device, personal digital assistant (PDA), or cellular phone; or, a server computer, a high-performance computer (HPC), or a super computer.
  • Controller 910 can be, for example, a computing device incorporated into a wearable apparatus (e.g., an article of clothing, a wristwatch, or eyeglasses), an appliance (e.g., a refrigerator, or a lighting control), a mechanical device, or (for example) a motorized vehicle.
  • a computer embodying aspects and features of the disclosure can be any of a variety of computing devices having processors and, optionally, memory devices, and/or programs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A controller is configured to perform various steps including receiving a plurality of user identification values. Another step includes determining a first range of the plurality of user identification values, the first range including a first minimum user identification value and a first maximum user identification value. Another step includes assigning a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values. Another step includes determining a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values. Yet another step includes assigning the second user identification value to a second user.

Description

BACKGROUND
The present disclosure relates to aspects of electronic directories, and relates in particular to improvements to the use of automatically-generated user identifiers within electronic directories.
Electronic data stores and computerized directories have begun to utilize distributed aspects, where directory functionality and data itself is spread over multiple servers, networks, etc. Distributed directories may benefit from increased high-volume and globalized capability, and may dynamically replicate entries as needed. Some temporary inconsistencies may exist between machines in distributed models for a short amount of time, but any inconsistencies are typically addressed quickly. However, as electronic directories proliferate, a relative disorder of platform or company-specific versions led to an eventual need for a platform-independent, standardized, and Internet-connected model. The X.500 directory standard, which runs on Open Systems Interconnection (OSI), accomplishes some of the goals, but has known drawbacks. For one, X.500 runs on the OSI protocol stack (as opposed to the widely-used transmission control protocol and Internet protocol suite (TCP/IP) or other connection-oriented transfer service), and had robust, or “heavyweight,” features and capacities that were often neither needed nor used.
Lightweight directory access protocol (LDAP) was developed to be an application and distributed directory access protocol that could be used across platforms and/or organizations, among other flexibilities. Generally speaking, the formulation of LDAP eschews various components and functionalities of the broader-scope X.500, while streamlining others (e.g., the shift from OSI to TCP/IP), leading to an efficient, and widely-disseminated protocol for distributed or large-scale directory management. LDAP utilizes a client-server model, whereby a user (or a device) can connect to any of several servers and still access the same entry, in the form of a global directory service. In order to keep entries organized and logically laid out, LDAP entries are generally arranged in a hierarchical tree-like structure, and ordering of entries is not typically required.
A general purpose and goal of LDAP, unlike some other database-type formats, relates to streamlining and improving usefulness and efficiency in directories, generally including information relating to individuals, stored in the form of entries. The various entries (which may represent, for example, individuals) are assigned a unique identifying name (called a distinguished name (DN)), details and characteristics, such as a first and/or last name, user role, phone number, email address, employee number, office location, common name, home directory, password, etc.
In order to run large-scale, global, or distributed databases or data systems, various computer systems, including high-performance computing (HPC) implementations, have become increasingly integrated. The implementation of HPCs, among others, has led to an increase in various administrative and management demands related to database and directory models. Due to issues with permissions of administrator accounts, security-related aspects often have inherent vulnerabilities. To improve security, in particular, LDAP may be employed as a back-end to store and authenticate the multiple created administrative accounts.
LDAP often utilizes one or more so-called “schemas” related to various tasks or directory functions, LDAP also employs entries, which may be prescribed and governed by a schema. A schema is often a grouping of fundamental information categories known as entries. Each schema is composed of mandatory and/or optional entry information categories and which may serve as frameworks or templates for various directory-related database organizations. An entry, for the purposes of the LDAP framework, include attributes which may have a name and one or more values related to an object (e.g., an employee, administrator, system, etc.). The attributes may include qualities or names related to the object in question, such as a unique, user identifier (UID) for a particular user's account, among many other attributes. A UID, as the name implies, is typically an identifier or serial number that identifies a user entry (e.g., a human user or device), and a UM may be referred to as a distinguished name (DN) (including a full filesystem file path), or a relative distinguished name (RDN) (the relevant filesystem file name in its relevant parent folder). A DN may change over time, as needed, for example if an entry is moved from one location to another.
At present, administrator(s) typically must provide, assign, and/or create UIDs manually, a process that is prone to errors among other problems. As such, it has become increasingly important to devise a method for generating (e.g., in conjunction with the LDAP ADD operation) UIDs and adding associated entries without problematic overwrites, collisions, security concerns or other problems. Generally, the ADD operation involves the insertion a new entry (e.g., a UID) into a directory or server database. If the UID in the add request already exists in the directory, then the server will not or cannot add a duplicate entry, but may give an error or result code of “entry already exists.” Typically, in order to add a new entry in an LDAP environment, the new entry to be added must not already exist, and the new entry's immediate superior in the hierarchy or directory must exist.
Various problems exist with respect to the capabilities and functionality of the existing state of the named account feature. Typically, there has been no enforcement of password expiration policy for a default administrator “admin” account. Additionally, there has typically been no enforcement to check the strength of the password. With regard to an audit of the administrator account, there typically has been no separate audit, with the possible exception of the unreliable bash history. Furthermore, typically there has been no separate account for other management-related access (e.g., with respect to reliability, availability, and/or service).
SUMMARY
In one aspect of the present disclosure, a system includes a controller operatively connected to at least a memory device and a storage device, the controller configured to perform various steps. The steps to be performed include receiving a plurality of user identification values. Another step to be performed includes determining a first range of the plurality of user identification values, the first range including a first minimum user identification value and a first maximum user identification value. Another step to be performed includes assigning a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values. Another step to be performed includes determining a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values. Yet another step to be performed includes assigning the second user identification value to a second user.
A second aspect of the present disclosure is directed to an account generation method. The method includes receiving a plurality of user identification values. The method also includes determining a first range of the user identification values, the first range including a first minimum user identification value and a first maximum user identification value. The method also includes assigning a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values. The method also includes creating a first user account based on the assigning the first user identification value to the first user. The method also includes determining a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values. The method also includes assigning the second user identification value to a second user. And, the method also includes creating a second user account based on the assigning the second user identification value to the second user.
A third aspect of the present disclosure is directed to a computer program product including a computer-readable storage device having a computer-readable program stored therein, where the computer-readable program, when executed on a computing device, causes the computing device to receive a plurality of user identification values. The computing device is also caused to determine a first range of the plurality of user identification values, the first range including a first minimum user identification value and a first maximum user identification value. The computing device is also caused to assign a first user identification value to a first user from the first range of the plurality of user identification values to a first user based on the first minimum and maximum user identification values. The computing device is also caused to create a first user account based on the assigning the first user identification value to the first user. The computing device is also caused to determine a second user identification value from the first range of the plurality of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values. The computing device is also caused to assign the second user identification value to a second user. And, the computing device is also caused to create a second user account based on the assigning the second user identification value to the second user.
These and various other features and advantages will be apparent from a reading of the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
Other important objects and advantages of the present invention will be apparent from the following detailed description of the invention taken in connection with the accompanying drawings.
FIG. 1A is a conceptual illustration of a two-account structured distributed directory access scheme.
FIG. 1B is a conceptual illustration of a named account distributed directory access scheme.
FIG. 2 is a schematic relational diagram showing database components in a distributed directory access scheme, according to various embodiments.
FIG. 3 is a flowchart for the automatic assignments of UIDs for administrator access to a distributed directory manager, according to various embodiments.
FIG. 4 is an illustration of an example UID assignment process in a distributed directory, according to various embodiments.
FIG. 5 is an example schema that can be employed with the automatic assignment of UIDs according to various embodiments.
FIG. 6 is an example routine for assigning a UID, according to various embodiments.
FIG. 7 is a subset of the example routine of FIG. 6, where the next free UID is assigned, according to various embodiments.
FIG. 8 is another subset of the example routine of FIG. 6, where a hole is found and a new range assigned, according to various embodiments.
FIG. 9 depicts a computer system according to embodiments of the present disclosure.
DETAILED DESCRIPTION
The foregoing specific embodiments of the present invention as set forth in the specification herein are for illustrative purposes only. Various deviations and modifications may be made within the spirit and scope of the invention without departing from the main theme thereof. For example, the methods and systems described herein are described in particular with regard to databases and directories, in particular. However, the methods of systems described herein may be applicable to many other instances for a unique identifier is desired to be determined without the assistance of a user, for the creation of accounts, for example.
The present invention overcomes various disadvantages and shortcomings of the prior art relating to the automatic generation of unique identifiers, and in particular to improved methods and systems for the automatic generation of new, collision-avoiding user identifiers (UIDs), especially within the industry-standard framework of LDAP. Collision-free, named-account-based UIDs can be generated automatically by continuously-incrementing numeric UIDs within holes or gaps within available ranges of UIDs within a preset range when a directory database is instantiated. By improving the known named-account feature, the uncertainties of the human element are reduced, and the risk of collisions and other computer-related problems are also reduced, improving performance and efficiency in database or directory-based tasks.
Previously, a single systems administrator and account would be sufficient to oversee an entire database or system. Faced with the management of a present-day HPC-based system, a single administrator logging into the manager may eventually become overworked or overwhelmed, leading to the necessary employment of additional administrators per database manager, system, network, server, and/or company. Even if a single administrator were not to be overwhelmed (e.g., in the case of a smaller company or organization), other causes have commonly led to a desire to segment the purview of various administrators, for a variety of reasons. Aspects related to security are common concerns in the realm of networks, computers, and the Internet, especially with respect to private or sensitive data. As such, a need has arisen to support multiple unique administrative accounts, one for each administrator, in order to manage clustered, distributed, and/or parallel storage systems. Some examples of a clustered storage system and manager are, respectively, ClusterStor® and the associated ClusterStor® manager products (and registered trademark) of Seagate Technology.
Directory schemas, as used with respect to LDAP, govern the contents of entries with respect to each schema, which is a set of definitions and constraints regarding the structure of the directory hierarchy. A schema may also define one or more object classes (ObjectClasses). Each entry typically has an OhjectClass attribute, containing named classes defined in the schema. The schema definition of the classes of an entry defines what kind of object the entry may represent, e.g., a person, organization, or domain. The ObjectClass definitions may also define the list of attributes that must contain values and the list of attributes
An example of a typical LDAP implementation is OpenLDAP. OpenLDAP was developed by the OpenLDAP project as a free, open-source implementation of LDAP. It is released under the OpenLDAP public license and has three main components. The components include: SLAPD (also commonly written in lowercase italicized type as “slapd,” which denotes stand-alone LDAP daemon, and associated modules and tools), libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER), and client software (e.g., Idapsearch Idapadd, Idapdelete, and others). Various processes closely-related to LDAP schemas (e.g., an OpenLDAP posixAccount schema, defined in at least IETF RFC 2307) currently lack the facility to automatically create and/or assign UIDs for the new user accounts. For example, according to various IETFs, a uidNumber (e.g., a UID) is a MUST attribute field in an example posixAccount schema, which is reproduced, below:
objectclass (
1.3.1.1.1.2.0
NAME ‘posixAccount’
DESC ‘Abstraction of an account with POSIX attributes’
SUP top
AUXILIARY
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
May ( userPassword $ loginShell $ gecos $ description )
Examples of newly-created, user-specific accounts could be stored in LDAP using, for example, an OpenLDAP posixAccount schema. The posixAccount schema would expect a UID (i.e., uidNumber) attribute as an input during creation of the account. Expecting a UID as an input from user would be undesirable for several reasons, such as impersonation by a malicious imposter. For example, if one knows the administrator account username, then hacking the password may be more successfully attempted by malicious users. A desire arises, then, to internally or automatically generate the UID and provide it as an input to the schema in question.
The so-called “named account” directory and database feature is as a partial solution for assigning and creating new, user-specific UIDs and accounts. The named account feature provides various basic capabilities such as allowing for or providing individual administrator accounts per person or user, but the existing named account feature may also prohibit remote access through fixed (i.e., not subject to changing or rolling) passwords. The named account feature may also employ the automatic expiration of existing passwords, have a mandated minimum time between password changes, and have enforced password length and/or complexity. In addition, the named account feature may include provisions for password storage and access and may include separate credentials for application programming interface (API) access and include provisions for auditing of administrator user activity. As a result, with the named account feature, an organization can beneficially audit which user changed what in the system.
FIG. 1A is a conceptual illustration of a two-account structured distributed directory access scheme.
In order to implement various embodiments described with respect to this application, an example directory or database manager (not shown) may be stored on a computing device, such as server 104, and may include a single pane view of a distributed directory or database infrastructure, which may be visible to one or more administrators (e.g., various users 106). The manager may be used to simplify storage cluster installation and configuration and may provide a consolidated management and control of the storage cluster located on server 104. As such, the manager may include a controller configured to carry out methods described herein. A distributed directory or database manager (which may have a display) may be logged into by an administrator (e.g., user 106 b) with an administrator account.
Currently, to log into the distributed directory (or database) manager located on server 104, the distributed directory provides a default administrator account that includes a default username and password, by which the administrator can log into the manager. Additionally, the distributed directory generally may provide a guest account login path (e.g., the guest may be user 106 a). As shown, these are the only two accounts (or account types in some cases) through which the administrator 106 b or other user 106 a could log into the distributed directory on server 104 as either an administrator or guest. For large organizations or governments having hundreds of distributed directories or databases, managing the distributed infrastructure requires several administrative users 106 b in their organization. Restricting the different administrative personnel to use the same default administrative account poses critical security risks. Users, as used herein, may be human users, such as employees or clients of a company or organization, and in some embodiments users may take other forms, including computer-based, virtual, machine, controller, or file system-instantiated users.
As shown, a traditional two-account-based scheme 100 includes two distinct connection paths from a user 106 to a server 104. Various users are designated as guests 106 a and other may be designated as administrators 106 b. In principle, a guest 106 a, for various reasons, including security and accident-avoidance, is given reduced access and read/write capabilities with respect to directory data stored on server 104. A guest connection 108 may be configured to include an ability or functionality to, for example, access a read on various directory entries, such as a phone number of a fellow employee (not shown). However, an administrator connection 110 may include the capabilities of the guest connection 108, with the added capabilities of adding, modifying, and/or deleting directory entries, among other contents of server 104. Server 104 may represent a single server or a cluster of multiple servers, according to various embodiments.
FIG. 1B is a conceptual illustration of a named account distributed directory access scheme.
The named account feature, if employed as shown, enables the distributed directory manager to create user-defined administrator accounts (such as for user 106 c). The shown user connection scheme 102 includes the elements as shown in FIG. 1A, while adding a third, user-defined, named account connection 112. A named-account user may desire to log into the server 104, and may be one of several administrators assigned to varying roles ranging from a guest (similar to guest 106 a) to a partial or full administrator (similar to administrator 106 b). One or more named account users 106 c may have roles and/or responsibilities that vary, such as being assigned to a particular country's operation for a company, or to a particular division of a company. Various roles may be distributed to various named account users 106 c, or several named account users 106 c may alternatively each be considered full administrators in a distributed directory setting, for various reasons.
FIG. 2 is a schematic relational diagram 200 showing database components in a distributed directory access scheme, according to various embodiments.
As depicted, basic database or directory components (e.g., standard directory LDAP components) 210 include two management modules 214, 216, which are operably connected to each other, either passively and/or actively. As described herein, the management modules 214, 216 may operate to form a basic distributed directory, and additional management modules can be added, as desired. In other embodiments (e.g., a situation where a directory is not a distributed directory), a single management module 214 may be utilized without a second management module 216.
As shown, according to one embodiment representing named account structure, the management modules 214, 216 are both preferably connected to an LDAP database 222 operatively located within a named account components section 212. Also located within the named account components section 212 can be two standalone LDAP daemon (SLAPD) service modules 218, 220. SLAPD, as discussed above, may be an LDAP directory server that can be run on many different platforms. SLAPD can be used to provide a directory service with respect to a directory that can contain various entries.
Generally, SLAPD modules facilitate writing and/or modification within an LDAP framework. SLAPD generally includes two distinct parts; a front end that handles protocol communication with LDAP clients, and a module that handles specific tasks, such as database or directory operations. SLAPD may also be widely and flexibly configurable. The configuration of the SLAPD components, for example, may use a single configuration file, allowing an administrator to change virtually any aspect with respect to the directory or database. As shown, the respective SLAPD service modules are connected to a first management module 214 (MGMT-0) and a second management module 216 (MGMT-1).
The SLAPD service modules 218, 220 may each be stand-alone modules and in operative connection and communication with at least a respective management module 214, 216, as shown. Each SLAPD service module 218, 220 can be connected to a global LDAP directory service (not shown), or each may run an independent service, such as a directory-related service, according to various embodiments. According to some embodiments, the addition of SLAPD service modules 218, 220 may provide additional functionality regarding control aspects of a server (such as server 104 of FIGS. 1A-1B), allowing an administrator to control access to the information in the particular database(s), such as LDAP database 222.
FIG. 3 is a flowchart for the automatic assignments of UIDs for administrator access to a distributed directory manager, according to various embodiments.
Various LTD values can be assigned automatically as UIDs by a process starting at 302. At 304, a plurality of user identifier (ID) values (e.g., UIDs) can be received. For example, prior to the receiving the plurality of UID values, the plurality of UID values can be selected such that the plurality includes substantially more UID values than are expected to be used or needed as UIDs for the foreseeable future. For example, if 100 UIDs are expected to be used in the next decade, a plurality of 1000 UIDs (or less or more) may be selected as a “safe” number of UID values during implementation of the processes, herein.
At 306, a first range of the UID values (e.g., to eventually be assigned as one or more UIDs to corresponding users or administrators, as described herein), including a first minimum UID value and a first maximum UID value may be determined. Once the plurality of UID values is received, a numerically lowest UID value may be determined to be a first minimum UID value, and a numerically highest UID value may be determined to be a first maximum UID value, thereby setting and/or determining the first range of UIDs as the range of UIDs between, and including, the first minimum UID value and the first maximum UID value.
At 308, a first UID value may be assigned to a first user (and associated entry) from the first range based on the first minimum and first maximum UID values. Once the first minimum and maximum UID are each determined, then, a controller (as described herein) may assign at least one of the UID values to a first user as a UID, based on the first range of UID values determined at 306.
At 310, a first user account may optionally be created based on the assigning the first UID to the first user (and the associated first user entry). The first user account may be an administrative, named-account, as described herein, and may include various privileges and/or features of various accounts, as described herein.
At 312, a second UID value may be determined from the first range by incrementing the first UID value based on the first minimum and first maximum ID values. Similar to the determining of the first UID value, the determination of the second UID value may follow the determination of the first UID value, and may be incrementally related to the first UID value, which may have been previously assigned at this step. At 314, a second UID value can be assigned to the second user as a second UID, similar to the assignment of the first UID value to the first user as the first UID. At 316, a second user account can optionally be created based on the assigning the second UID value to the second user, in a similar fashion to the creating of the creation of the first user account at 310.
At 318, it may be determined whether the second UID is equal to the first maximum UID value. If it is determined that the second UID is equal to the first maximum UID value, the process may end (or optionally repeat), according to various embodiments. If it is determined that the second UID is equal to the first maximum UID value, then a second range of the UID values may be determined, including a second minimum UID value and a second maximum UID value. The process may then end (or repeat), according to various embodiments. According to other embodiments, it may instead be determined at 318 that the second UID is equal to the first maximum UID value minus one (e.g., second to maximum UID value), or other UID value according to various embodiments.
FIG. 4 is an illustration of an example UID assignment process 400 in a distributed directory, according to various embodiments.
As described herein, at step (i), an initial range of potential UIDs 410 (e.g., UID values) may be specified or received to begin a UID-assignment process within a named account feature. The initial range of UIDs 410 may include n UIDs, including an nth UID 412. As described herein, the initial range of UIDs 410 may be selected to be sufficiently large so as to generously accommodate present and future needs of UIDs. A large range may be specified in order to reduce the likelihood that a range would eventually become insufficient. A minimum range value (UID 1, as shown) may be selected arbitrarily, but may be selected such that a likelihood of the UID being already in use is reduced, for example, by selecting a UID that is substantially beyond any and all expected UIDs that would already be in use.
Following the initial assignment of range of potential UIDs 410, the various UIDs may be identified as being in use 416 or not currently in use 414. The UIDs within the initial range 410, both in use and not in use may all be designated in order to preferably identify a hole 418 containing a maximum consecutive number of available UIDs 414, though other holes may also be present. The nth UID 420 may be designated as available or in use. As shown, hole 418, as shown, includes four available consecutive UIDs 3-A (422), 4-A (424), 5-A (426), 6-A (428), and 7-A (430). At step (iii), starting with the first UID 3-A (422) of the hole 418, the UIDs 3-A (422), 4-A (424), 5-A (426), 6-A (428), and 7-A (430) are assigned to users 1-5, according to the ordering of the UIDs. In other words, user 1 is assigned UID 3-A 422, as shown, user 2 is assigned UID 4-A 424, user 3 is assigned UID 5-A 426, user 4 is assigned UID 6-A 428, and user 5 is assigned UID 7-A 430. As shown for illustrative purposes, the concatenation of the letter “A” to the numbered UID denotes a first determination of UIDs and the applicable usage status.
Following the assignment of the UIDs 3-A at 422 through 7-A at 430 to users 1-5 at step (iii), it is again determined which of the UIDs 410 are in use 434, and which of the UIDs are available 432. The newly-identified UIDs have an nth entry, n-B 437, as shown. A second hole 436 is then determined, in this case containing three available, consecutive UIDs 6-B (438), 7-B (440), and 8-B (442). Mirroring the process of step (iii), at step (v), the UIDs 6-B (438), 7-B (440), and 8-B (442) are assigned to the next three users, in this case users 6, 7, and 8. The process may then be optionally repeated at step (vi) as many (or as few) times as necessary, as illustrated by ellipsis 444. The process may preferably be repeated in particular when a new request for a UID or administrator account is received by a controller or manager, as described herein. As shown for illustrative purposes, the concatenation of the letter “B” denotes a second determination of UIDs and the usage status. Further determinations of usage status of UIDs may be performed, as desired.
FIG. 5 is an example schema that can be employed with the automatic assignment of UIDs, according to various embodiments.
As shown with respect to FIG. 5, a typical OpenLDAP posixAccount schema may be utilized for the purposes of this disclosure. Typically, the OpenLDAP posixAccount schema includes an entry with five mandatory attribute fields, including uidNumber (e.g., UID as used throughout this application), gidNumber (group identifier), memberUID (member identifier), cn (common name), and homeDirectory (e.g., a filesystem or internet address path). Optional attributes that not mandated by the shown schema may include userPassword (not shown), loginShell (not shown), and gecos (not shown), among others.
FIG. 6 is an example routine 600 for assigning a UID, according to various embodiments.
A particular embodiment of the invention includes a four-step pseudocode routine (which may be in LDAP data interchange format, or LDIF) that contains a first step in which a minimum and maximum range are assigned, with 4096 assigned as an example minimum, and 65535 assigned as an example maximum. As discussed herein, the minimum, maximum, and resulting range can be chosen or determined arbitrarily, but can be chosen such that existing or in-use UIDs are avoided and/or that a maximum UID is selected that is sufficient to avoid future need for a greater maximum. Here, the range of possible UIDs from 4096-65535, spanning over 40,000 possible UIDs, is determined to be sufficient for this example by an administrator. The range may also be determined automatically, according to other embodiments.
Once the range of UIDs has been assigned, a function, such as getNextFreeUnixId( ) 602, can be called, assigning the return value to the next UID (nextId). If nextId is equal to the maximum UID (or, alternatively, the maximum UID of the range minus one), then another function, such as findHoleAndAssignNewRange( ) 604, can be called, returning a new range (e.g., 4099-65535, 5000-65535, 4099-65532, etc.) having a new minimum and maximum UID, and it may be persisted. The minimum UID plus one (increment) can then be assigned to nextId, and the next Id can be returned.
Various routines having subroutines are also depicted, including getNextFreeUnixId( ) 602, and findHoleAndAssignNewRange( ) 604, embodiments of which are each further explained with respect to FIGS. 7 and 8, respectively.
FIG. 7 is a subset 700 of the example routine 600 of FIG. 6, where the next free UID is assigned, according to various embodiments.
The routine 600 of FIG. 6 includes several (e.g., LDIF) routines, including calling function getNextFreeUnixId( ) 602, which may contain three subroutine steps. As shown, getNextFreeUnixId( ) 602 includes getting the minimum and maximum free available or not in use) UID from NextFreeUnixId user, incrementing the minimum UID by one and assigning the resulting UID to nextId, and returning the nextId and the maxId. According to various embodiments, the incrementing of UIDs can be preferably by one unit, but may also be by any other number or interval. Alternatively, the incrementing can occur in reverse, starting with a maximum UID, and dis-incrementing the maximum UID value until a minimum UID value has been achieved.
According to various embodiments, in LDAP, the command “NextFreeUnixId” may be used for generating UIDs for new user accounts. The initial range of UIDs may range from be from “start_range” to “end_range,” which may be initially set up during cluster installation. An LDAP process may start with the “start_range” and may increment until reaching the “end_range.” Once the “end_range” is reached, the system or method (e.g., controller) preferably determines or identifies one or more applicable holes in the range and then preferably picks the largest hole range. The “start_range” and “end_range” are then preferably re-initialized with the obtained hole range. By following the described process, UID assignment collisions are avoided during automatic UID assignment, as desired.
FIG. 8 is another subset 800 of the example routine 600 of FIG. 6, where a hole is found and a new range assigned, according to various embodiments.
The findHoleAndAssignNewRange( ) 604 (e.g., LDIF) routine, as shown with respect to FIG. 6, can preferably include four (or more) subroutines. The subroutines of findHoleAndAssignNewRange( ) 604 can include determining or receiving the existing users' UIDs and storing them in a list, finding the hole that has the maximum range of UIDs, and assigning it to maxRange. Then, the minimum UID of maxRange can be assigned to the minimum UID, and the maximum of maxRange can be assigned to the maximum, and the minimum and maximum UID values can be returned, according to various embodiment.
FIG. 9 depicts a computer system 900 according to embodiments of the present disclosure.
Computer system 900 includes controller 910 having processors 912 and 914. In embodiments, each processor 912, 914 can be a single processor or a multi-threaded processor, a general purpose or a special purpose processor, a co-processor, or any of a variety of processing devices that can execute computing instructions. Server 104 of FIG. 1 may represent an embodiment of computer system 900. Computer system may also be a computing device or a controller, as used herein.
Computer system 900, as shown, is configured with an interface 916 to enable controller 910 to receive a request to assign a UID to a user as input 918, as described in particular with regard to FIGS. 3 and 4. In embodiments, the interface can enable controller 910 to receive, or otherwise access, 916 the input 918 via, for example, a network (e.g., an intranet, or a public network such as the Internet), or a storage medium, such as a disk drive internal or connected to controller 910. The interface can be configured for human input or other input devices, such as described later in regard to components of controller 910. It would be apparent to one of ordinary skill in the art that the interface can be any of a variety of interface types or mechanisms suitable for a computer, or a program operating in a computer, to receive or otherwise access or receive a source input or file.
Processors 912, 914 included in controller 910 are connected by a memory interface 920 to memory device or module 930. In embodiments, the memory 930 can be a cache memory, a main memory, a flash memory, or a combination of these or other varieties of electronic devices capable of storing information and, optionally, making the information, or locations storing the information within the memory 930, accessible to a processor. Memory 930 can be formed of a single electronic (or, in some embodiments, other technologies such as optical) module or can be formed of a plurality of memory devices. Memory 930, or a memory device (e.g., an electronic packaging of a portion of a memory), can be, for example, one or more silicon dies or chips, or can be a multi-chip module package. Embodiments can organize a memory as a sequence of bit, octets (bytes), words (e.g., a plurality of contiguous or consecutive bytes), or pages (e.g., a plurality of contiguous or consecutive bytes or words).
In embodiments, computer 900 can include a plurality of memory devices. A memory interface, such as 920, between a one or more processors and one or more memory devices can be, for example, a memory bus common to one or more processors and one or more memory devices. In some embodiments, a memory interface, such as 920, between a processor (e.g., 912, 914) and a memory 930 can be point to point connection between the processor and the memory, and each processor in the computer 900 can have a point-to-point connection to each of one or more of the memory devices. In other embodiments, a processor (for example, 912) can be connected to a memory (e.g., memory 930) by means of a connection (not shown) to another processor (e.g., 914) connected to the memory (e.g., 920 from processor 914 to memory 930).
Computer 900 can include an input/output (I/O) bridge, which can be connected to a memory interface, or to processor (not shown). An I/O bridge can interface the processors and/or memory devices of the computer 900 (or, other I/O devices) to I/O devices connected to the bridge. For example, controller 910 includes I/O bridge 950 interfacing memory interface 920 to I/O devices, such as I/O device 960. In some embodiments, an I/O bridge can connect directly to a processor or a memory, or can be a component included in a processor or a memory. An I/O bridge can be, for example, a peripheral component interconnect express (PCI-Express) or other I/O bus bridge, or can be an I/O adapter.
An I/O bridge can connect to I/O devices by means of an I/O interface, or I/O bus, such as I/O bus 922 of controller 910. For example, I/O bus 922 can be a PCI-Express or other I/O bus. I/O devices can be any of a variety of peripheral I/O devices or adapters connecting to peripheral I/O devices. For example, I/O device 960 can be a graphics card, keyboard or other input device, a hard disk drive (HDD), solid-state drive (SSD) or other storage device, a network interface card (NIC), etc. I/O device 960 can be an I/O adapter, such as a PCI-Express adapter, that connects components (e.g., processors or memory devices) of the computer 900 to I/O devices (e.g., disk drives, Ethernet networks, video displays, keyboards, mice, styli, touchscreens, etc.).
Computer 900 can include instructions executable by one or more of the processors (or, processing elements, such as threads of a processor). The instructions can be a component of one or more programs. The programs, or the instructions, can be stored in, and/or utilize, one or more memory devices of computer 900. As illustrated in the example of FIG. 9, controller 910 includes a plurality of programs or modules, such as UID status module 908 and UID assignment module 904. A program can be, for example, an application program, an operating system (OS) or a function of an OS, or a utility or built-in function of the computer 900. A program can be a hypervisor, and the hypervisor can, for example, manage sharing resources of the computer 900 (e.g., a processor or regions of a memory, or access to an I/O device) among a plurality of programs or OSes.
Programs can be “stand-alone” programs that execute on processors and use memory within the computer 900 directly, without requiring another program to control their execution or their use of resources of the computer 900. For example, controller 910 includes stand-alone program 908. A stand-alone program can perform particular functions within the computer 900, such as controlling, or interfacing (e.g., access by other programs) an I/O interface or I/O device. A stand-alone program can, for example, manage the operation, or access to, a memory (e.g., memory 930). A basic I/O subsystem (BIOS), or a computer boot program (e.g., a program that can load and initiate execution of other programs) can be a standalone program.
Controller 910 within computer 900 can include one or more OS 902, 906, and an OS can control the execution of other programs such as, for example, to start or stop a program, or to manage resources of the computer 900 used by a program. For example, controller 910 includes OSes 902 and 906, each of which can include, or manage execution of, one or more programs, such as OS 902 including (or, managing) program 904. In some embodiments, an OS can function as a hypervisor.
A program can be embodied as firmware (e.g., BIOS in a desktop computer, or a hypervisor) and the firmware can execute on one or more processors and, optionally, can use memory, included in the computer 900. Firmware can be stored in a memory (e.g., a flash memory) of the computer 900. For example, controller 910 includes firmware 940 stored in memory 930. In other embodiments, firmware can be embodied as instructions (e.g., comprising a computer program product) on a storage medium (e.g., a CD-ROM, DVD-ROM, a flash memory, or a disk drive), and the computer 900 can access the instructions from the storage medium.
In embodiments of the present disclosure, computer 900 can include instructions for the assignment of UIDs to users without collision. Controller 910 includes, for example, UID determination and assignment instructions 942, which can operate to assign UIDs and/or create user or administrator accounts at 944. The computer 900 can store the UID assignment instructions and/or the created user account information in a memory 930 of the computer 900, such as controller 910 storing the UID determination and assignment instructions 942 and assign UIDs and/or create user or administrator accounts 944 in memory 930.
The example computer system 900 and controller 910 are not intended to limiting to embodiments. In embodiments, computer system 900 can include a plurality of processors, interfaces, and inputs and can include other elements or components, such as networks, network routers or gateways, storage systems, server computers, virtual computers or virtual computing and/or I/O devices, cloud-computing environments, and so forth. It would be evident to one of ordinary skill in the art to include a variety of computing devices interconnected in a variety of manners in a computer system embodying aspects and features of the disclosure.
In embodiments, controller 910 can be, for example, a computing device having a processor (e.g., 912) capable of executing computing instructions and, optionally, a memory 930 in communication with the processor. For example, controller 910 can be a desktop or laptop computer; a tablet computer, mobile computing device, personal digital assistant (PDA), or cellular phone; or, a server computer, a high-performance computer (HPC), or a super computer. Controller 910 can be, for example, a computing device incorporated into a wearable apparatus (e.g., an article of clothing, a wristwatch, or eyeglasses), an appliance (e.g., a refrigerator, or a lighting control), a mechanical device, or (for example) a motorized vehicle. It would be apparent to one skilled in the art that a computer embodying aspects and features of the disclosure can be any of a variety of computing devices having processors and, optionally, memory devices, and/or programs.
Reference is made herein to the accompanying drawings that form a part hereof and in which are shown by way of illustration at least one specific embodiment. The detailed description provides additional specific embodiments. It is to be understood that other embodiments are contemplated and may be made without departing from the scope or spirit of the present disclosure. The detailed description, therefore, is not to be taken in a limiting sense. While the present disclosure is not so limited, an appreciation of various aspects of the invention will be gained through a discussion of the examples provided.
It is understood that numerous variations of automatic UID assignment could be made while maintaining the overall inventive design of various components thereof and remaining within the scope of the disclosure. Numerous alternate design or element features have been mentioned above.
As used herein, the singular forms “a,” “an,” and “the” encompass embodiments having plural referents, unless the content clearly dictates otherwise. As used in this specification and the appended claims, the term “or” is generally employed in its sense including “and/or” unless the content clearly dictates otherwise.
Unless otherwise indicated, all numbers expressing feature sizes, amounts, and physical properties are to be understood as being modified by the term “about.” Accordingly, unless indicated to the contrary, the numerical parameters set forth are approximations that can vary depending upon the desired properties sought to be obtained by those skilled in the art utilizing the teachings disclosed herein.
Although certain features are described generally herein relative to particular embodiments of the invention, it is understood that the features are interchangeable between embodiments to arrive at automatic UID assignment, without collision, that includes features of different illustrated embodiments. It is further understood that although certain embodiments discussed above include the creation of accounts for administrative users in the LDAP protocol using the disclosed methods and structures.
The present invention has now been described with reference to several embodiments thereof. The entire disclosure of any patent or patent application identified herein is hereby incorporated by reference. The foregoing detailed description and examples have been given for clarity of understanding only. No unnecessary limitations are to be understood therefrom. It will be apparent to those skilled in the art that many changes can be made in the embodiments described without departing from the scope of the invention. Thus, the scope of the present invention should not be limited to the structures described herein, but only by the structures described by the language of the claims and the equivalents of those structures.

Claims (20)

What is claimed is:
1. A system, comprising:
a controller operatively connected to at least a memory device and a storage device, the controller configured to perform steps including:
receiving an initial range of user identification values for account generation;
determining a first hole range of the initial range of user identification values, the first hole range including a first minimum user identification value and a first maximum user identification value;
assigning a first user identification value from the first hole range of the initial range of user identification values to a first user based on the first minimum and maximum user identification values;
determining a second user identification value from the first hole range of the initial range of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values; and
assigning the second user identification value to a second user.
2. The system of claim 1, wherein the controller is further configured to perform steps including:
creating a first user account based on the assigning the first user identification value to the first user; and
creating a second user account based on the assigning the second user identification value to the second user.
3. The system of claim 2, wherein the first user account includes login credentials including the first user identification value and a first user password.
4. The system of claim 1, wherein the controller is further configured to perform steps including:
determining whether the second user identification value is equal to the first maximum user identification value; and
determining, if it is determined that the second user identification value is equal to the first maximum user identification value, a second hole range of the initial range of user identification values having a second minimum user identification value and a second maximum user identification value, wherein the second hole range is configured to maximize a number of consecutive values between the second minimum and maximum user identification values within the initial range.
5. The system of claim 1, wherein the initial range of user identification values of the first hole range are each available for assignment to a user.
6. The system of claim 1, wherein the first hole range of the initial range of user identification values is configured to maximize a number of consecutive values between the first minimum and maximum user identification values within the initial range.
7. The system of claim 1, wherein assigning the first user identification value to the first user based on the first minimum and maximum user identification values is assigned to the first minimum user identification value.
8. The system of claim 1, wherein the controller is further configured to generate user accounts with associated collision-free user identification values in a lightweight directory access protocol (LDAP) directory database.
9. An account generation method, comprising:
receiving an initial range of user identification values;
determining a first hole range of the initial range of user identification values, the first hole range including a first minimum user identification value and a first maximum user identification value;
assigning a first user identification value from the first hole range of the initial range of user identification values to a first user based on the first minimum and maximum user identification values;
creating a first user account based on the assigning the first user identification value to the first user;
determining a second user identification value from the first hole range of the initial range of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values;
assigning the second user identification value to a second user; and
creating a second user account based on the assigning the second user identification value to the second user.
10. The method of claim 9, further comprising:
determining whether the second user identification value is equal to the first maximum user identification value; and
if it is determined that the second user identification value is equal to the first maximum user identification value, determining a second hole range of the initial range of user identification values having a second minimum user identification value and a second maximum user identification value, wherein the second hole range is configured to maximize a number of consecutive values between the second minimum and maximum user identification values within the initial range to implement a collision-free user identification value system.
11. The method of claim 9, wherein the initial range of user identification values are received in response to receiving a request for a user to gain access to a directory access protocol database.
12. The method of claim 9, wherein the first hole range of the initial range of user identification values is configured to maximize a number of consecutive values between the first minimum and maximum user identification values within the initial range.
13. The method of claim 9, wherein the first user account includes login credentials including the first user identification value and a first user password.
14. The method of claim 9, wherein assigning the first user identification value to the first user based on the first minimum and maximum user identification values is assigned to the first minimum user identification value.
15. A computer program product comprising a computer-readable storage device having a computer-readable program stored therein, wherein the computer-readable program, when executed on a computing device, causes the computing device to:
receive an initial range of user identification values;
determine a first hole range of the initial range of user identification values, the first hole range including a first minimum user identification value and a first maximum user identification value;
assign a first user identification value from the first hole range of the initial range of user identification values to a first user based on the first minimum and maximum user identification values;
create a first user account based on the assigning the first user identification value to the first user;
determine a second user identification value from the first hole range of the initial range of user identification values by incrementing the first user identification value based on the first minimum and maximum identification values;
assign the second user identification value to a second user; and
create a second user account based on the assigning the second user identification value to the second user.
16. The computer program product of claim 15, wherein the computer-readable program further causes the computing device to:
determine whether the second user identification value is equal to the first maximum user identification value; and
determine, if it is determined that the second user identification value is equal to the first maximum user identification value, a second hole range of the initial range of user identification values having a second minimum user identification value and a second maximum user identification value, wherein the second hole range is configured to maximize a number of consecutive values between the second minimum and maximum user identification values within the initial range.
17. The computer program product of claim 15, wherein the initial range of user identification values are received in response to receiving a request for a user to gain access to an LDAP directory database.
18. The computer program product of claim 15, wherein the first hole range of the initial range of user identification values is configured to maximize a number of consecutive values between the first minimum and maximum user identification values within the initial range.
19. The computer program product of claim 15, wherein the first user account includes login credentials including the first user identification value and a first user password.
20. The computer program product of claim 15, wherein assigning the first user identification value to the first user based on the first minimum and maximum user identification values is assigned to the first minimum user identification value.
US15/379,721 2016-12-15 2016-12-15 Automatic generation of unique identifiers for distributed directory management users Expired - Fee Related US10419410B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/379,721 US10419410B2 (en) 2016-12-15 2016-12-15 Automatic generation of unique identifiers for distributed directory management users

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/379,721 US10419410B2 (en) 2016-12-15 2016-12-15 Automatic generation of unique identifiers for distributed directory management users

Publications (2)

Publication Number Publication Date
US20180176200A1 US20180176200A1 (en) 2018-06-21
US10419410B2 true US10419410B2 (en) 2019-09-17

Family

ID=62556363

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/379,721 Expired - Fee Related US10419410B2 (en) 2016-12-15 2016-12-15 Automatic generation of unique identifiers for distributed directory management users

Country Status (1)

Country Link
US (1) US10419410B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11616584B2 (en) * 2015-02-13 2023-03-28 Samsung Electronics Co., Ltd. Transmitting apparatus and receiving apparatus and controlling method thereof

Citations (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010052013A1 (en) * 1997-09-26 2001-12-13 Wayne J. Munguia Integrated proxy interface for web based telecommunications network management
US6363372B1 (en) * 1998-04-22 2002-03-26 Zenith Electronics Corporation Method for selecting unique identifiers within a range
US6408306B1 (en) 1999-12-14 2002-06-18 International Business Machines Corporation Method and system for automated distinguished name lookup
US20020154144A1 (en) * 2001-04-18 2002-10-24 Lofgren Neil E. Image management system and methods using digital watermarks
US20030041154A1 (en) 2001-08-24 2003-02-27 Tran Trung M. System and method for controlling UNIX group access using LDAP
US20040003241A1 (en) * 2002-06-27 2004-01-01 Nokia, Inc. Authentication of remotely originating network messages
US20040044738A1 (en) * 2002-08-30 2004-03-04 Fujitsu Limited Client administration method and device
US20040162786A1 (en) * 2003-02-13 2004-08-19 Cross David B. Digital identity management
US20040267670A1 (en) 2003-06-27 2004-12-30 Wrq, Inc. Utilizing LDAP directories for application access control and personalization
US20050066191A1 (en) 2001-07-25 2005-03-24 Seagate Technology Llc System and method for delivering versatile security, digital rights management, and privacy services from storage controllers
US20060015930A1 (en) * 2004-07-15 2006-01-19 Idan Shoham Process for removing stale users, accounts and entitlements from a networked computer environment
US7016945B2 (en) 2001-04-27 2006-03-21 Sun Microsystems, Inc. Entry distribution in a directory server
US20060085089A1 (en) * 2004-10-15 2006-04-20 Applied Materials, Inc. Die-level traceability mechanism for semiconductor assembly and test facility
US20060129816A1 (en) * 2004-12-10 2006-06-15 International Business Machines Corporation Method and system for secure binding register name identifier profile
US7240211B2 (en) 2001-10-09 2007-07-03 Activcard Ireland Limited Method of providing an access request to a same server based on a unique identifier
US20070156945A1 (en) * 2003-12-11 2007-07-05 Yasuo Nakata Signal processing circuit
US20080005779A1 (en) * 2006-07-03 2008-01-03 Fujitsu Limited Computer-readable recording medium storing access rights management program, access rights management apparatus, and access rights management method
US20080014975A1 (en) * 2006-07-14 2008-01-17 Hui Jin Methods and apparatus related to assignment in a wireless communications system
US20080013490A1 (en) * 2003-02-19 2008-01-17 Rajiv Laroia Methods and apparatus related to assignment in a wireless communications system
US20090132554A1 (en) * 2005-05-20 2009-05-21 Duaxes Corporation Data processing system
US20090275354A1 (en) * 2005-05-24 2009-11-05 Shozu Ltd. method of power management in a data replication process deployed in a wireless device
US20100178896A1 (en) * 2007-06-04 2010-07-15 Terrero Diaz-Chiron Maria Esther Method for Processing Service Requests in a Telecommunications System
US20100211657A1 (en) * 2009-02-13 2010-08-19 Red Hat, Inc. Automatic Extension of Distributed Managed Ranges in a Multi-Master System
US7945942B2 (en) * 2005-07-15 2011-05-17 Microsoft Corporation System and methods for exchanging user interface data in a multi-user system
US7996674B2 (en) 2006-10-19 2011-08-09 International Business Machines Corporation LDAP user authentication
US8312088B2 (en) * 2009-07-27 2012-11-13 Sandisk Il Ltd. Device identifier selection
US20120294307A1 (en) * 2011-05-18 2012-11-22 Hitachi, Ltd. Apparatus and Method for Identifier Management
US8364957B2 (en) 2004-03-02 2013-01-29 International Business Machines Corporation System and method of providing credentials in a network
US20130145299A1 (en) * 2010-08-05 2013-06-06 Roche Diagnostics Operations, Inc. Method for aggregating task data objects and for providing an aggregated view
US20130254395A1 (en) * 2012-03-26 2013-09-26 Cellco Partnership D/B/A Verizon Wireless Equipment identity registration
US8611124B2 (en) * 2008-01-28 2013-12-17 Samsung Electronics Co., Ltd. Semiconductor memory device including plurality of memory chips
US20140114748A1 (en) * 2012-10-23 2014-04-24 Sean Michael Bruich Determining Advertising Effectiveness Bases on a Pseudo-Control Group
US8745697B2 (en) 2007-03-19 2014-06-03 Ricoh Company, Limited Information processing apparatus and information processing method
US20140215007A1 (en) * 2013-01-31 2014-07-31 Facebook, Inc. Multi-level data staging for low latency data access
US8875255B1 (en) * 2012-09-28 2014-10-28 Emc Corporation Preventing user enumeration by an authentication server
US8935805B2 (en) 2007-07-11 2015-01-13 International Business Machines Corporation Method and system for enforcing password policy in a distributed directory
US8965340B1 (en) * 2012-09-27 2015-02-24 Emc Corporation Mobile device indentification by device element collection
US20150081837A1 (en) * 2013-09-13 2015-03-19 Google Inc. Provisioning a plurality of computing devices
US20150116610A1 (en) 2012-10-30 2015-04-30 Tpk Touch Solutions (Xiamen) Inc. Touch panel
US9069979B2 (en) 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US9081951B2 (en) 2011-09-29 2015-07-14 Oracle International Corporation Mobile application, identity interface
US20150235037A1 (en) * 2010-10-25 2015-08-20 Openpeak Inc. Creating Distinct User Spaces Through User Identifiers
US20150269207A1 (en) * 2014-03-18 2015-09-24 Cong Deng Simple and efficient method for recycling device identifiers
US20160014138A1 (en) 2014-07-08 2016-01-14 International Business Machines Corporation Encoding ldap role and domain information in a fixed format
US20160072793A1 (en) * 2014-09-08 2016-03-10 Square, Inc. Mitigating risk of account enumeration
US9384485B1 (en) * 2013-11-26 2016-07-05 American Express Travel Related Services Company, Inc. Systems and methods for rapidly provisioning functionality to one or more mobile communication devices
US20170004527A1 (en) * 2015-07-01 2017-01-05 Turn Inc. Systems, methods, and devices for scalable data processing
US20180075081A1 (en) * 2016-09-14 2018-03-15 Tommy Chipman Self-cleaning token vault

Patent Citations (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010052013A1 (en) * 1997-09-26 2001-12-13 Wayne J. Munguia Integrated proxy interface for web based telecommunications network management
US6363372B1 (en) * 1998-04-22 2002-03-26 Zenith Electronics Corporation Method for selecting unique identifiers within a range
US6408306B1 (en) 1999-12-14 2002-06-18 International Business Machines Corporation Method and system for automated distinguished name lookup
US20020154144A1 (en) * 2001-04-18 2002-10-24 Lofgren Neil E. Image management system and methods using digital watermarks
US7016945B2 (en) 2001-04-27 2006-03-21 Sun Microsystems, Inc. Entry distribution in a directory server
US20050066191A1 (en) 2001-07-25 2005-03-24 Seagate Technology Llc System and method for delivering versatile security, digital rights management, and privacy services from storage controllers
US20030041154A1 (en) 2001-08-24 2003-02-27 Tran Trung M. System and method for controlling UNIX group access using LDAP
US7240211B2 (en) 2001-10-09 2007-07-03 Activcard Ireland Limited Method of providing an access request to a same server based on a unique identifier
US20040003241A1 (en) * 2002-06-27 2004-01-01 Nokia, Inc. Authentication of remotely originating network messages
US20040044738A1 (en) * 2002-08-30 2004-03-04 Fujitsu Limited Client administration method and device
US20040162786A1 (en) * 2003-02-13 2004-08-19 Cross David B. Digital identity management
US20080013490A1 (en) * 2003-02-19 2008-01-17 Rajiv Laroia Methods and apparatus related to assignment in a wireless communications system
US20040267670A1 (en) 2003-06-27 2004-12-30 Wrq, Inc. Utilizing LDAP directories for application access control and personalization
US20070156945A1 (en) * 2003-12-11 2007-07-05 Yasuo Nakata Signal processing circuit
US8364957B2 (en) 2004-03-02 2013-01-29 International Business Machines Corporation System and method of providing credentials in a network
US20060015930A1 (en) * 2004-07-15 2006-01-19 Idan Shoham Process for removing stale users, accounts and entitlements from a networked computer environment
US20060085089A1 (en) * 2004-10-15 2006-04-20 Applied Materials, Inc. Die-level traceability mechanism for semiconductor assembly and test facility
US20060129816A1 (en) * 2004-12-10 2006-06-15 International Business Machines Corporation Method and system for secure binding register name identifier profile
US20090132554A1 (en) * 2005-05-20 2009-05-21 Duaxes Corporation Data processing system
US20090275354A1 (en) * 2005-05-24 2009-11-05 Shozu Ltd. method of power management in a data replication process deployed in a wireless device
US7945942B2 (en) * 2005-07-15 2011-05-17 Microsoft Corporation System and methods for exchanging user interface data in a multi-user system
US20080005779A1 (en) * 2006-07-03 2008-01-03 Fujitsu Limited Computer-readable recording medium storing access rights management program, access rights management apparatus, and access rights management method
US20080014975A1 (en) * 2006-07-14 2008-01-17 Hui Jin Methods and apparatus related to assignment in a wireless communications system
US7996674B2 (en) 2006-10-19 2011-08-09 International Business Machines Corporation LDAP user authentication
US8745697B2 (en) 2007-03-19 2014-06-03 Ricoh Company, Limited Information processing apparatus and information processing method
US20100178896A1 (en) * 2007-06-04 2010-07-15 Terrero Diaz-Chiron Maria Esther Method for Processing Service Requests in a Telecommunications System
US8935805B2 (en) 2007-07-11 2015-01-13 International Business Machines Corporation Method and system for enforcing password policy in a distributed directory
US8611124B2 (en) * 2008-01-28 2013-12-17 Samsung Electronics Co., Ltd. Semiconductor memory device including plurality of memory chips
US8108523B2 (en) * 2009-02-13 2012-01-31 Red Hat, Inc. Automatic extension of distributed managed ranges in a multi-master system
US20100211657A1 (en) * 2009-02-13 2010-08-19 Red Hat, Inc. Automatic Extension of Distributed Managed Ranges in a Multi-Master System
US8312088B2 (en) * 2009-07-27 2012-11-13 Sandisk Il Ltd. Device identifier selection
US20130145299A1 (en) * 2010-08-05 2013-06-06 Roche Diagnostics Operations, Inc. Method for aggregating task data objects and for providing an aggregated view
US20150235037A1 (en) * 2010-10-25 2015-08-20 Openpeak Inc. Creating Distinct User Spaces Through User Identifiers
US20180082077A1 (en) * 2010-10-25 2018-03-22 Openpeak Llc Creating distinct user spaces through user identifiers
US20120294307A1 (en) * 2011-05-18 2012-11-22 Hitachi, Ltd. Apparatus and Method for Identifier Management
US9081951B2 (en) 2011-09-29 2015-07-14 Oracle International Corporation Mobile application, identity interface
US20130254395A1 (en) * 2012-03-26 2013-09-26 Cellco Partnership D/B/A Verizon Wireless Equipment identity registration
US9069979B2 (en) 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US8965340B1 (en) * 2012-09-27 2015-02-24 Emc Corporation Mobile device indentification by device element collection
US8875255B1 (en) * 2012-09-28 2014-10-28 Emc Corporation Preventing user enumeration by an authentication server
US20140114748A1 (en) * 2012-10-23 2014-04-24 Sean Michael Bruich Determining Advertising Effectiveness Bases on a Pseudo-Control Group
US20150116610A1 (en) 2012-10-30 2015-04-30 Tpk Touch Solutions (Xiamen) Inc. Touch panel
US20140215007A1 (en) * 2013-01-31 2014-07-31 Facebook, Inc. Multi-level data staging for low latency data access
US20150081837A1 (en) * 2013-09-13 2015-03-19 Google Inc. Provisioning a plurality of computing devices
US9384485B1 (en) * 2013-11-26 2016-07-05 American Express Travel Related Services Company, Inc. Systems and methods for rapidly provisioning functionality to one or more mobile communication devices
US20150269207A1 (en) * 2014-03-18 2015-09-24 Cong Deng Simple and efficient method for recycling device identifiers
US20160014138A1 (en) 2014-07-08 2016-01-14 International Business Machines Corporation Encoding ldap role and domain information in a fixed format
US20160072793A1 (en) * 2014-09-08 2016-03-10 Square, Inc. Mitigating risk of account enumeration
US20170004527A1 (en) * 2015-07-01 2017-01-05 Turn Inc. Systems, methods, and devices for scalable data processing
US20180075081A1 (en) * 2016-09-14 2018-03-15 Tommy Chipman Self-cleaning token vault

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11616584B2 (en) * 2015-02-13 2023-03-28 Samsung Electronics Co., Ltd. Transmitting apparatus and receiving apparatus and controlling method thereof

Also Published As

Publication number Publication date
US20180176200A1 (en) 2018-06-21

Similar Documents

Publication Publication Date Title
US11979285B2 (en) System and method for generic configuration management system application programming interface
US11574070B2 (en) Application specific schema extensions for a hierarchical data structure
CA2998685C (en) Transmission of tags and policies with data objects
EP3398091B1 (en) System and method for unified access control on federated database
US7630974B2 (en) Multi-language support for enterprise identity and access management
US7747647B2 (en) Distributing permission information via a metadirectory
JP6306055B2 (en) Using free-form metadata for access control
US20100030995A1 (en) Method and apparatus for applying database partitioning in a multi-tenancy scenario
US20210318998A1 (en) Dynamic schema based multitenancy
US20050283478A1 (en) Soap-based Web services in a multi-tenant database system
US8516138B2 (en) Multiple authentication support in a shared environment
US8819231B2 (en) Domain based management of partitions and resource groups
US20180300369A1 (en) Secure query interface
US20190089541A1 (en) Configuration updates for access-restricted hosts
US10419410B2 (en) Automatic generation of unique identifiers for distributed directory management users
US10397130B2 (en) Multi-cloud resource reservations
US10628594B2 (en) Managing multi-tenant systems using object-oriented models
US20120110011A1 (en) Managing application access on a computing device
US11086844B2 (en) Unified instance authorizations with application owned hierarchies
JP2004303051A (en) Data management method, data management device, information processor, and telecommunication network system
Bagui et al. Oracle 19c's Multitenant Container Architecture and Big Data
Helskyaho et al. Oracle Autonomous Database for Machine Learning
Brimhall et al. Securables, Permissions, and Auditing

Legal Events

Date Code Title Description
AS Assignment

Owner name: SEAGATE TECHNOLOGY LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOVINDAN, DEIVAPALAN PERUMAL;GOUGE, CHRISTOPHER DAVID;SIGNING DATES FROM 20161212 TO 20161213;REEL/FRAME:040941/0553

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20230917